FFT news digest Apr 19 2019

Facebook

Facebook hasn't had many good weeks recently, but this was a particularly bad one. Not only were its main services hit by at least two outages, but several reports revealed more damaging details of how it has used personal data - and it was forced to confirm that it had uploaded contacts from 1.5 million people without their permission. NBC News accessed some 4,000 internal Facebook documents that revealed how personal data had been leveraged in relationships with other companies. In just one example, Amazon's access was extended after it spent money on advertising with Facebook. As observers have pointed out, this is hardly surprising, but it will inevitably lead to further questions about what controls should be placed on the social media giant. Meanwhile, two weeks after it was revealed that Facebook had been exploiting its verification process to access people's contacts, the company admitted to Business Insider what it had done, but said it was unintentional (which would be quite an achievement). 

The Mueller Report

There’s no shortage of coverage of the Mueller Report and, from a cybersecurity perspective, there is little that wasn’t revealed in the 2018 indictment of 12 Russian military intelligence officers. But it’s worth recalling the key points which go to the heart of how hacking operations work;
• Spearphishing works. The sorry tale of John Podesta and his Gmail account is well known, but Mueller reveals that hundreds of emails were sent to Clinton campaign employees and volunteers.
• Administrator passwords are the root of (almost) all evil. Among the stolen credentials was at least one with administrator privileges. This gave the attackers unfettered access to the targeted networks.
• Remote connectivity must be properly secured. Access to the Democratic National Committee was obtained through a VPN which compromised more than 30 computers, including the DNC’s mail server and a file server.
• If vulnerabilities exist, they will be exploited. Russia’s attacks were broad and went much further than the presidential election. In Illinois, Russian agents hacked the State Election Board by exploiting a vulnerability in its website.
• Encrypted messaging works. Muller’s team was unable to corroborate witness statements and his team could not full question witnesses because of the use of encrypted messaging platforms.

Shining a light on the Dark Web

A new study has analysed nearly 30,000 guides available on the Dark Web to find out what lessons are being taught by cyber criminals. Terbium Labs' report shows which types of data are most valued by fraudsters, but it also underlines how much support is available to anyone who wants to turn to cyber crime. Not surprisingly, email addresses and passwords are the most popular forms of personal data. Vast databases are available to support "credential stuffing" where combinations of usernames and passwords are tested against online services until a working combination is found. The research underlines yet again why reusing passwords is so dangerous and why a password manager and 2-factor authentication are essential tools to reduce your risk. But the study also reinforces a key lesson from our training courses; it's so easy to set oneself up as a cyber criminal that it's no surprise so many people are doing so. It's up to all of us to make their life more difficult.

Facial recognition

The relentless march of facial recognition continues with the US Department of Homeland Security saying it expects to use the technology on 97% of departing airline passengers within the next 4 years. The system works by cross-referencing photos taken at the departure gate with images taken on arrival. The aim is to reduce the number of people who overstay their visas, which US Customs and Border Protection estimates to total 600,000 visitors a year. Of course, once a database has been built containing millions of people's photographs there are plenty of other ways in which it could be used. Coincidentally, the New York Times this week published a report showing how video feeds streamed on the web could be analysed with Amazon's commercial facial recognition service to identify individuals. The experiment use 24 hours of video from cameras in New York's Bryant Park. The total cost of Amazon's service; about $60.

DNS hijacking

If you can control the internet's address book, there's no limit to the mischief you can make, and researchers say that's exactly what a state-backed hacking group has been up to. Cisco Talos found that an unnamed country had been hijacking Domain Name System (DNS) records so that they pointed to malicious copies of real websites. Its investigation revealed that at least 40 companies and governmental organisations across 13 countries in the Middle East and North Africa were targeted. As the report explains, this type of attack has the potential to be exceptionally damaging because it could "undermine the trust users have in the internet." In other words, you simply couldn't be sure what you are seeing is real. As so often, Cisco Talos says these attacks began with targeted emails designed to obtain credentials from administrators. A key precaution for any website owner (or DNS registrar) is to use 2-factor authentication. It's not foolproof, but it makes phishing a whole lot harder.

Anatomy of an Airbnb scam

Where there's a popular online service, there's someone figuring out how to subvert it to steal money from unsuspecting users. Veteran cybersecurity journalist, Brian Krebs, has a detailed look at a kit designed to trick Airbnb customers out of their cash. "Land Lordz" charges $550 a month for a basic subscription that allows a user to manage more than 500 fake properties. The scam works by diverting potential renters to a fake Airbnb site that looks like the real one but which is actually designed to steal their credentials and persuade them to pay a cash deposit. The examples found by Krebs are all in UK, mostly in the London area, and are advertised on listings service, Gumtree. As he points out, when using online services, the key is to check the website name to make sure you're where you think you are. And never allow yourself to be persuaded to transfer money outside the service you're using.

In brief

The UK has finally announced a date for the introduction of an age verification system designed to prevent anyone under the age of 18 from accessing pornography. 

The Weather Channel had to resort to recorded programming after being hit by "malicious software." The FBI told the Wall Street Journal ($) that the cause was ransomware.

Hackers were able to read the emails of any non-corporate Microsoft account after they stole a Microsoft support agent's credentials, according to Motherboard. Microsoft said this applied to around 6% of a small number of impacted customers, but refused to specify how many users were affected in total.

It's extraordinary that pregnancy and parenting club, Bounty UK, thought it could get away with illegally sharing personal details of more than 14 million people. It couldn't, and the UK data regulator fined it £400,000 in what it called an unprecedented case. Bounty was lucky. Had the fine been under new EU regulations it would probably have been much higher.

Instagram has been hit by devious phishing scams called "The Hot List" and "The Nasty List". As Bleeping Computer reports, they're designed to steal user credentials and employ a realistic looking fake login page.

There's been a resurgence in the use of malicious PDF files sent as email attachments. Sonicwall says many try to persuade users to click links leading to infected webpages. 

Updates

Oracle: 297 updates in quarterly release, including 53 for Fusion Middleware product line, 42 of which are for vulnerabilities that could be exploited remotely. Also 5 key updates for Java SE.

Drupal: Updates address multiple "moderately critical" vulnerabilities in Drupal Core content management system that could enable remote attacks on hundreds of thousands of websites.

Cisco: Patches for 30 vulnerabilities, including a critical issue affecting ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit software.

LibreOffice: Latest version 6.2.3 fixes 90 bug and regression issues.

Zimbra: 6 new patches - Zimbra 8.8.12 “Isaac Newton” Patch 1, Zimbra 8.8.11 “Homi Bhabha” Patch 4, Zimbra 8.8.10 “Konrad Zuse” Patch 8, Zimbra 8.8.9 “Curie” Patch 10, Zimbra 8.7.11 Patch 11, Zimbra 8.6.0 Patch 14.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved